It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight.
SELECT username, groupname, type, u.UID, g.GID, Description, comment
FROM users u
JOIN user_groups ug ON ug.UID = u.UID
JOIN groups g ON g.GID = ug.GID
WHERE g.GROUPNAME = "Administrators"
AND u.type = "local";